.TH tcpaccept 8  "2018-10-24" "USER COMMANDS"
.SH NAME
tcpaccept.bt \- Trace TCP passive connections (accept()). Uses bpftrace/eBPF
.SH SYNOPSIS
.B tcpaccept.bt
.SH DESCRIPTION
This tool traces passive TCP connections (eg, via an accept() syscall;
connect() are active connections). This can be useful for general
troubleshooting to see what new connections the local server is accepting.

This uses dynamic tracing of the kernel inet_csk_accept() socket function (from
tcp_prot.accept), and will need to be modified to match kernel changes.

This tool only traces successful TCP accept()s. Connection attempts to closed
ports will not be shown (those can be traced via other functions).

Since this uses BPF, only the root user can use this tool.
.SH REQUIREMENTS
CONFIG_BPF and bpftrace.
.SH EXAMPLES
.TP
Trace all passive TCP connections (accept()s):
#
.B tcpaccept.bt
.TP
.SH FIELDS
.TP
TIME(s)
Time of the call, in HH:MM:SS format.
.TP
PID
Process ID
.TP
COMM
Process name
.TP
RADDR
Remote IP address.
.TP
RPORT
Remote port.
.TP
LADDR
Local IP address.
.TP
LPORT
Local port
.TP
BL
Current accept backlog vs maximum backlog
.SH OVERHEAD
This traces the kernel inet_csk_accept function and prints output for each event.
The rate of this depends on your server application. If it is a web or proxy server
accepting many tens of thousands of connections per second, then the overhead
of this tool may be measurable (although, still a lot better than tracing
every packet). If it is less than a thousand a second, then the overhead is
expected to be negligible. Test and understand this overhead before use.
.SH SOURCE
This is from bpftrace
.IP
https://github.com/iovisor/bpftrace
.PP
Also look in the bpftrace distribution for a companion _examples.txt file
containing example usage, output, and commentary for this tool.

This is a bpftrace version of the bcc tool of the same name. The bcc tool
may provide more options and customizations.
.IP
https://github.com/iovisor/bcc
.SH OS
Linux
.SH STABILITY
Unstable - in development.
.SH AUTHOR
Brendan Gregg, adapted for bpftrace by Dale Hamel
.SH SEE ALSO
tcpconnect(8), funccount(8), tcpdump(8)
